State-sponsored Iranian hackers, who had until now focused almost exclusively on
civil and human rights-focused users of the Android operating
systems, have for the first time developed malware (software that damages or
disables computer systems) that targets users' Apple devices, according to a
new report by
Internet security expert, Collin
Anderson.

"My fear is that many people switched to Mac (Apple) because they were concerned
about malware and security issues (thinking Mac would better protect them), but
doing this alone does not solve the issue," Anderson, who is based in
Washington, DC, told the Campaign for Human Rights in Iran. "So this is why this
report is serious: it's informing Mac users that they still have to be vigilant
because Iranian groups are now targeting them as well."

"Few if any people were infected by the Mac malware," said Anderson. "The
Windows versions that communicated with the same servers had infected a small
number of people inside of Iran and in the diaspora."

"We chose to report on the malware early on because it represented a change in
the behavior of Iranian groups, rather than an active campaign with many
victims," he added. "Our goal was to prepare potential targets for the
possibility of being targeted by educating them that macOS can still be
vulnerable to malware."

The internet and social media apps are heavily
restricted and censored in Iran, with hardliners in the government viewing
any form of internet freedom as a threat to the sanctity of the Islamic
Republic. Research by the Campaign has shown that Iranian hackers, often
directed by hardliners within the country's government, periodically launch campaigns against
civil and human rights activists and organizations to disrupt or intimidate them
into ceasing their peaceful activism.

Anderson, who runs the Iran
Threats website, told the Campaign that the hackers are targeting the
computers of civil rights activists with a revamped version of the MacDownloader
malware, which was previously used to target industrial infrastructures.

MacDownloader was designed to
steal victims' computer passwords by luring them to a fake prompt
box that invites account holders to provide or reset their passwords.

A statement issued
by Iran Threats on February 6, 2017 detailed the process:

"A macOS malware agent, named MacDownloader, was observed in the wild as
targeting the defense industrial base, and reported elsewhere to have been used
against a human rights advocate. MacDownloader strangely attempts to pose as
both an installer for Adobe Flash, as well as the Bitdefender Adware Removal
Tool, in order to extract system information and copies of OS X keychain
databases. Based on observations on infrastructure, and the state of the
code, we believe these incidents represent the first attempts to deploy the
agent, and features such as persistence do not appear to work. Instead,
MacDownloader is a simple exfiltration agent, with broader ambitions."

After hackers gain the OSX Keychain information, they can potentially copy
passwords for other tools such as email, websites, software and hardware and
access virtually all the information stored by users on their computers and
online.

What can users do to protect themselves against the malicious malware?

"There's no simple remedy, and the best protection is to be skeptical about the
software that one downloads, and to be cautious about the emails they receive,"
Anderson told the Campaign.

"As we show in the report, antivirus software typically relies on having
detected a piece of malware before flagging it as malicious," he added. "Since
the Iranian attacks are targeting a small population (rights activists), the
detection rate by those products is low. Antivirus is not sufficient in
protecting against targeted attacks."